Cybercrime is a growing menace

The worth of the internet will be at stake if systems can’t be protected to the point the public lose confidence.

JUN 2017

Share

In mid-April, the ‘Shadow Hackers’ online group made public some malicious software known as ‘EternalBlue’ that had been stolen from the US government’s National Security Agency, which develops hacking tools to gather intelligence.

Luckily the ransomware, dubbed WannaCry, was quickly defused. But the speed and extent by which the malware spread, WannaCry’s household-name business victims such as Nissan and Renault, its disruption of the UK’s medical services and its ability to destroy data made the ransomware the most chilling cyberattack ever. But it’s perhaps not the most significant cyberattack ever. Many claim that emails hacked from Hillary Clinton’s presidential campaign and released via WikiLeaks helped Donald Trump become US president.

Other notorious incidents of cybercrime in recent years include attacks on the US Chipotle restaurant chain, the central Bangladesh Bank, Yahoo, Sony Pictures Entertainment, eBay, The Home Depot of the US and Target in the US. Verizon says that the number of data breaches around the world where at least 100 million identities were exposed numbered 15 in 2016, 13 in 2015 and 11 in 2014.[1] Cybercrime, according to some estimates, is already a US$1 trillion industry worldwide.[2] In the US, the FBI says that reported ransoms paid to hackers jumped from US$24 million in 2015 to US$209 million in the first three months of 2016.[3]

Whatever the true figures, identification theft, fraudulent online transfers, payment-card frauds, network assaults, denial-of-service attacks by malicious networks of computers (botnets), ransomware, cyberbullying, trolling and online child pornography are too common. They show that nothing is safe on the internet – apart from criminals, it seems. It is incredibly difficult to protect computers, networks and the internet from vandals, pranksters, criminals, terrorists, rogue governments and government-protected agents because networks are too widely used, too complex, too fragmented and too vulnerable to coding mistakes, ignorance and complacency, and too open to be defended. Governments engaged in cyberwarfare – the US military intelligence built EternalBlue – are possibly making the internet less safe. The growth in the cloud and the ‘Internet of Things’ magnify vulnerabilities. While the most likely outcome is that people will accept the crime risks of using the internet, a catastrophic attack that snaps the public’s faith in cybersecurity cannot be ruled out.

If people, businesses, governments and other bodies including hospitals can’t trust the internet to protect data, share files, host websites, seamlessly send and receive messages and make payments, an internet slowed by protections and precautions could assume a lower profile in everyday life – or fall well short of its potential anyway. But that won’t happen without a fight. Policymakers are making cybersecurity a top priority while an industry has sprung up to protect cyberspace. The fight to maintain the public’s trust in the security of internet will be never-ending.

To be sure, billions of interactions happen every day on the internet without hassle. A cyberattack is yet to trigger a catastrophe. Firewalls, virus antidotes and sophisticated behavioural defences help protect systems. Better protection is a key benefit of cloud computing. The payments companies, namely American Express, MasterCard, PayPal and Visa, have never suffered a significant breach, even though they are under constant attack. Neither have the big digital platforms and now the big cloud companies Amazon, Facebook, Google and Microsoft of the US and Alibaba and Baidu of China. The core problems, though, are that the foundations of the internet are insecure and making the internet safer from criminals makes it safer for villains too – encryption software and other efforts to legitimately protect privacy are prime examples of this dilemma. Cybersecurity will be an unwinnable war that taxes society. The challenge is to keep these costs well in check so that the internet remains a massive net benefit for the world. This goal is achievable, if cybersecurity receives the priority it is due.

Fragile and flawed

Networking hardware can offer cybercriminals a way into a network either by accident or by design. When new cutting-edge equipment is released, it is usually beyond the abilities of cybercriminals to exploit. Unfortunately, cybercriminals generally have time on their side because the expensive task of upgrading networking equipment is done sparingly by businesses. Older hardware is more vulnerable to attack. Hackers can exploit cracks in the links between different networking products from multiple companies. Finally, networking hardware companies may secretly provide ‘back doors’ for their governments to exploit. Criminals and others may take advantage should the government lose control of this information as happened with WannaCry.

Software may be even more vulnerable because each application consists of millions of lines of code. All programs contain coding mistakes and inefficiencies when launched. Software makers issue ‘patches’ for these errors, if they find them. This takes time and effort, which often only the largest software firms can afford. Even when patches are released, many users fail to install them in a timely manner, if at all. Companies sometimes avoid upgrading software because the latest versions might be incompatible with bespoke applications built internally or purchased from other vendors. The outcome is that much of the internet lies unprotected.

Once a software or hardware vulnerability is found and hackers seek to exploit it, to succeed, they first need to find a flaw that gives them an opening to embed into a computer some malicious digital instructions. This often doesn’t require advanced computer literacy, only a knowledge of human psychology. All it can take is one person to be fooled by an innocuous-looking ‘phishing’ email, click on a malicious web-based ad or download from a compromised site.

Hackers were around in the early days of computers but perhaps many were just geeks causing trouble for kicks. Nowadays, cybercriminal gangs run websites with drop-down crime menus, offer chat-app technical services to help would-be hackers and manage call centres to help victims pay ransoms. These felons are often protected by governments. They have access to cheap and easy-to-use tools that hack past password protections, even biometrics such as voice recognition, fingerprints and iris scanning.

Much criminal activity takes place on the ‘darknet’. This term describes a distributed anonymous network within the ‘deep web’ that takes special software to access and is beyond the reach of authorities (and search engines). Thanks to technological advancements that allow for mass criminal activity while protecting anonymity, cybercrime is lucrative, hard to detect and even harder to prosecute.

Negligent users or conflicted developers?

To help protect networks, governments including Australia’s have set up cybersecurity centres (acsc.gov.au) that pool knowledge from police, the military, academia and the private sector. An industry has sprung up to help mitigate cybercrime. Check Point Software Technologies, Cisco Systems, FireEye, Palo Alto Networks and Symantec are among the biggest listed cybersecurity companies. ‘Bug hunters’ are another source of internet protection. These are geeks who receive bounties from companies for finding flaws that can be fixed. Insurers are offering (partial) protection against cybercrime.

Source: Europol’s illustration of the ‘darknet’. “Serious and organised crime threat assessment 2017. Crime in the age of technology.”

A major responsibility for keeping the internet safe, however, lies with the operating-system developers such as Apple, Google and Microsoft, due to their huge number of users.

Microsoft software products include Windows XP, the model that WannaCry exploited. As is typical for software companies, Microsoft puts a finite life on its software versions when released. In the case of Windows, it is generally 10 years, well beyond the life of a PC on which it would run. In the case of Windows XP, Microsoft provided free support for more than 12 years. Microsoft needs an ‘end of life’ date on software because it is costly to update and patch a software version.

Despite the negligence of enterprises that still use Windows XP while refusing to pay for support after its ‘end of life’, in the aftermath of the WannaCry attack, Microsoft stood accused of holding back on issuing a free repair for Windows XP that could have protected users. (Almost perversely, such attacks boost software and security revenue for Microsoft and its peers.)

Critics suggest that Microsoft would have provided support if not for its profit motive to sell software patches, and that it has an incentive to avoid providing security updates on old software, to force people to buy the latest versions. A bugbear for many people is that companies such as Microsoft bear little or no responsibility under US law if their software is vulnerable to attack.

Expect big political fights about the liabilities of software makers in coming years as cybercrime costs mount. Stricter regulation around cybersecurity, though, could stifle innovation.

Invisible but lethal

While governments are giving greater priority to cybersecurity, the most likely catastrophic assault on the internet is by a state-sponsored cyberwarfare attack.

Western countries are especially vulnerable. They depend on the computer-based global financial system and their electric grids, emergency services, mobile communications and water services are operated by computers. Vast swathes of a country including major cities could suddenly be without power, water, the internet and emergency services.

While rogue governments are adept at cyberattacks, western democracies engage in the practice too. The ‘Hiroshima moment’ or watershed event for cyberwarfare arrived in 2010 when the US and Israel allegedly deployed the Stuxnet cyber virus to destroy centrifuges at an Iranian nuclear facility.

Cyberwarfare is likely to be a never-ending arms race. Democratic governments need to develop cyberwarfare technology to gather intelligence to protect their populations. The more weapons they create the more insecure adversaries feel, which prompts them to step up efforts. Another quandary is that intelligence agencies must decide whether or not to warn software manufacturers about flaws in their code. If they inform software makers (and they often do), intelligence agencies risk making worthless their cyberweaponary edge. Another conundrum is that technology companies don’t like that governments develop and hold cyberweaponary, yet they have refused to co-operate when terrorists use their platforms or encryption. Underlying all this is that cyberweapon technology can be easy to steal.

The Shadow Hackers’ release of the EternalBlue malware that turned up as WannaCry is the most obvious example of stolen cyberwarfare technology ending up with villains. And this episode isn’t over. Shadow Hackers has promised to release more malware stolen from US intelligence. The battle between cybercriminals and cybersecurity agents will be endless.

Important Information: This material has been prepared by Magellan Asset Management Limited trading as MFG Asset Management (‘MFG Asset Management’) for general information purposes and must not be construed as investment advice. This material does not constitute an offer or inducement to engage in an investment activity nor does it form part of any offer or invitation to purchase, sell or subscribe for in interests in any type of investment product or service. This material does not take into account your investment objectives, financial situation or particular needs. You should read and consider any relevant offer documentation applicable to any investment product or service and consider obtaining professional investment advice tailored to your specific circumstances before making any investment decision. This material and the information contained within it may not be reproduced or disclosed, in whole or in part, without the prior written consent of MFG Asset Management. Any trademarks, logos, and service marks contained herein may be the registered and unregistered trademarks of their respective owners. Nothing contained herein should be construed as granting by implication, or otherwise, any licence or right to use any trademark displayed without the written permission of the owner.

Statements contained in this material that are not historical facts are based on current expectations, estimates, projections, opinions and beliefs of Magellan. Such statements involve known and unknown risks, uncertainties and other factors, and undue reliance should not be placed thereon. Additionally, this material may contain “forward-looking statements”. Actual events or results or the actual performance of am MFG Asset Management financial product or service may differ materially from those reflected or contemplated in such forward-looking statements.

Certain economic, market or company information contained herein has been obtained from published sources prepared by third parties. While such sources are believed to be reliable, neither MFG Asset Management or any of its respective officers or employees assumes any responsibility for the accuracy or completeness of such information. No person, including MFG Asset Management, has any responsibility to update any of the information provided in this material.

How to invest

Magellan offers two market-leading strategies, global equities and global listed infrastructure. Find out how easy it is to invest in the world’s best companies, as chosen by Magellan’s experts.

Global equity products

You buy from the world’s best companies, so why not invest in them? Magellan offers a range of highly-rated global equity funds, containing some the world’s best companies that we believe are positioned to benefit from long-term investment tailwinds.

Please select your country

By clicking “I Agree” you represent that you are a ‘wholesale client’ under section 761G of the Corporations Act 2001 (Cth) (the “Act”). Further, you represent that you will not directly or indirectly disseminate information contained on this website to a ‘retail client’ within the meaning of section 761G of the Act.

This website contains general information only and does not take into account any person’s investment objectives, financial situation or needs. Nothing contained in the website constitutes a solicitation, recommendation, endorsement or offer to buy or sell any securities or other financial instruments.

Important Legal Information: The information contained in the Institutional section of this website is not intended to constitute:

any offer for sale or subscription of securities to the public in New Zealand in terms of the Securities Act 1978 of New Zealand (the 1978 Act) (or any statutory modification or re-enactment of, or statutory substitution for, the 1978 Act). Accordingly, no prospectus or investment statement for the purposes of the 1978 Act has been produced in respect of the information contained in the website and the information does not contain all the information typically included in a registered prospectus or an investment statement under the 1978 Act; or

the provision of "financial advice" under the Financial Advisers Act 2008 (the 2008 Act) (or any statutory modification or re-enactment of, or statutory substitution for, the 1978 Act).

By clicking "I agree," you agree that you have read the terms detailed below and confirm that:

1) you:

(i) are an "habitual investor" for the purposes of section 3(2)(a)(ii) of the 1978 Act. "Habitual investors" are persons whose principal business is the investment of money or who, in the course of and for the purposes of their business, habitually invest money; or

(ii) otherwise fall within one of the other categories set out in section 3(2)(a) of the 1978 Act, meaning that you are not a member of the public for the purposes of the 1978 Act; or

(iii) you are acting for a person described in (i) or (ii); and

2) you are a "wholesale client" for the purposes of the 2008 Act.

The information contained in the Institutional section of this website is intended only for institutions that are both (i) habitual investors or otherwise fall within one of the other categories set out in section 3(2)(a) of the 1978 Act and (ii) "wholesale clients" under the 2008 Act. Such persons shall be referred to as "institutional investors" herein. Persons who are not institutional investors should not review the information contained in the website. This website is supplied on the condition that it is not passed on to any person who is not an institutional investor.

Nothing on this website constitutes investment, legal, business, tax or any other type of advice. The information on this website does not take into account the particular financial and investment objectives, circumstances and needs of any person. Information on the website is not intended for investors in any jurisdiction in which distribution or purchase is not authorized.

Performance data shown represents past performance and is no guarantee of future results. Investment return and principal value fluctuate so your investment, when sold, may be worth more or less than the original cost; current performance may be lower or higher than quoted. Investors should be aware of the increased risks associated with investments in foreign/emerging markets securities, high yield securities and smaller companies.You are solely responsible for evaluating the risks and merits regarding the use of the website and any services provided within. Nothing contained in that website constitutes a solicitation, recommendation, endorsement or offer to buy or sell any securities or other financial instruments.

Important Legal Information: By clicking "I agree," the user agrees that I have read the terms detailed below and confirm that I am an Institutional Investor and that I wish to proceed.

Information contained in the Institutional section of this website is not intended for institutional investors in any jurisdiction in which distribution or purchase is not authorised.

The information is intended for institutional investors and consultants to institutional investors and is published for informational purposes only. The information is directed at informing persons falling within one or more of the following categories:

1) A government, local authority, or public authority;

2) A bank or insurance company;

3) A pension fund or charity;

4) An individual who is a "qualified client" under the Investment Advisers Act of 1940 and has experience in investment, financial and business matters to evaluate the risks of investing in securities;

5) Persons whose ordinary activities involve or are reasonably expect to involve them, as principal or as agent, in acquiring, holding, managing or disposing of investments for the purpose of a business carried on by them;

6) Persons whose ordinary business involves the giving of advice, which may lead to another person acquiring or disposing of an investment or refraining from so doing.

Persons who do not fall into one of the above categories should not review the information contained in this site.

Performance data shown represents past performance and is no guarantee of future results. Investment return and principal value fluctuate so your investment, when sold, may be worth more or less than the original cost; current performance may be lower or higher than quoted. Investors should be aware of the increased risks associated with investments in foreign/emerging markets securities, high yield securities and smaller companies.

Important Legal Information: By clicking "I agree," the user agrees that I have read the terms detailed below and confirm that I am an investment professional as that term is defined in the Handbook of the Financial Conduct Authority ("FCA") or that I am acting for an investment professional.

Information contained on the Institutional section of this website is not intended for investors in any jurisdiction in which distribution of the information or purchase is not authorized or permitted.

The information is exclusively intended for, and directed at, investment professionals and advisers to investment professionals. Any products and investment services that are referenced on this website are only available to, or will only be engaged in with, investment professionals. Investment professionals will usually fall within one or more of the following categories (terms used have the same meaning as in the FSA handbook):

1) An authorised person;

2) An exempt person;

3) A government, local authority (constituted in any jurisdiction) or an international organisation;

4) Any person whose ordinary activities involve him in carrying on an investment activity;

5) A person who is acting in their capacity as a director, officer or employee of the above.

Persons who do not fall into one of the above categories, or who do not otherwise constitute investment professionals, should not read or rely on the information contained on this website.

The information provided on this website is for information purposes only and nothing on this website constitutes investment, legal, business, tax or any other type of advice.

Any performance data shown represents past performance. Past Performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Investment return and principal value fluctuate so your investment, when sold, may be worth more or less than the original cost; current performance may be lower or higher than quoted. Investors should be aware of the risks associated with investments generally and the increased risks associated with investments in foreign/emerging markets securities, high yield securities and smaller companies.

Important Legal Information: By clicking "I agree," the user agrees that I have read the terms detailed below and confirm that I am an "Accredited Investor" and that I wish to proceed.

Information contained in the Institutional section of this website is not intended for accredited investors in any jurisdiction in which distribution or purchase is not authorized.

The information is intended for accredited investors and consultants to accredited investors, and is published for informational purposes only.

The term "Accredited Investor" is a defined term under the Canadian Securities Regulation and includes Institutional Investors, such as banks, insurance companies, trust and loan companies, and pension plans. It also includes individuals provided they meet certain net worth or income thresholds. For more information, refer to National Instrument 45-106 of the Canadian Securities Administrators or consult your legal adviser.

Persons who do not fall into the definition above should not review the information contained in the site.

Performance data shown represents past performance and is no guarantee of future results. Investment return and principal value fluctuate so your investment, when sold, may be worth more or less than the original cost; current performance may be lower or higher than quoted. Investors should be aware of the increased risks associated with investments in foreign/emerging markets securities, high yield securities and smaller companies.

Important Legal Information: By clicking "I agree," the user agrees that I have read the terms detailed below and confirm that I am an "Institutional Investor" and that I wish to proceed.

Information contained in the Institutional section of this website is not intended for institutional investors in any jurisdiction in which distribution or purchase is not authorized.

The information is exclusively intended for, and directed at eligible counterparties or professional clients as defined under the German Securities Trading Act. For more information, consult your legal adviser.

Nothing on this website constitutes investment, legal, business, tax or any other type of advice. The information on this website does not take into account the particular financial and investment objectives, circumstances and needs of any person. Information on the website is not intended for investors in any jurisdiction in which distribution or purchase is not authorized.

Performance data shown represents past performance and is no guarantee of future results. Investment return and principal value fluctuate so your investment, when sold, may be worth more or less than the original cost; current performance may be lower or higher than quoted. Investors should be aware of the increased risks associated with investments in foreign/emerging markets securities, high yield securities and smaller companies.

You are solely responsible for evaluating the risks and merits regarding the use of the website and any services provided within. Nothing contained in that website constitutes a solicitation, recommendation, endorsement or offer to buy or sell any securities or other financial instruments.

Important Legal Information: By clicking "I agree," the user agrees that I have read the terms detailed below and confirm that I am an "Institutional Investor" and that I wish to proceed.

Information contained in the Institutional section of this website is not intended for institutional investors in any jurisdiction in which distribution or purchase is not authorized.

The information is intended for institutional investors and consultants to institutional investors, and is published for informational purposes only. The information is directed at non-retail clients falling within one or more of the following categories:

1) A government, local authority or public authority;

2) A bank or insurance company;

3) A pension fund or charity;

4) An individual who provides one or more investment services on a professional basis;

5) Persons whose ordinary activities involve or are reasonably expect to involve them, as principal or as agent, in acquiring, holding, managing or disposing of investments for the purposes of a business carried on by them;

6) Persons whose ordinary business involves the giving of advice, which may lead to another person acquiring or disposing of an investment or refraining from so doing.

Persons who do not fall into one of the above categories should not review the information contained in the site.

Performance data shown represents past performance and is no guarantee of future results. Investment return and principal value fluctuate so your investment, when sold, may be worth more or less than the original cost; current performance may be lower or higher than quoted. Investors should be aware of the increased risks associated with investments in foreign/emerging markets securities, high yield securities and smaller companies.

Important Legal Information: By clicking "I agree," the user agrees that I have read the terms detailed below and confirm that I am an "Institutional Investor" and that I wish to proceed.

Information contained in the Institutional section of this website is not intended for institutional investors in any jurisdiction in which distribution or purchase is not authorized.

The information is exclusively intended for, and directed at institutional investors, accredited investors and expert investors as defined under the Securities and Futures Act (Singapore) (“SFA”) For more information, refer to the SFA or consult your legal adviser.

Nothing on this website constitutes investment, legal, business, tax or any other type of advice. The information on this website does not take into account the particular financial and investment objectives, circumstances and needs of any person. Information on the website is not intended for investors in any jurisdiction in which distribution or purchase is not authorized.

Performance data shown represents past performance and is no guarantee of future results. Investment return and principal value fluctuate so your investment, when sold, may be worth more or less than the original cost; current performance may be lower or higher than quoted. Investors should be aware of the increased risks associated with investments in foreign/emerging markets securities, high yield securities and smaller companies.

You are solely responsible for evaluating the risks and merits regarding the use of the website and any services provided within. Nothing contained in that website constitutes a solicitation, recommendation, endorsement or offer to buy or sell any securities or other financial instruments.

Important Legal Information: By clicking "I agree," the user agrees that I have read the terms detailed below and confirm that I am a "professional investor" as defined under the Securities and Futures Ordinance of Hong Kong (the “Ordinance”) and any rules made under the Ordinance, and that I wish to proceed.

Information contained in the Institutional section of this website is not intended for institutional investors in any jurisdiction in which distribution or purchase is not authorized.

The information is exclusively intended for, and directed at, professional investors as defined under the Ordinance and any rules made under the Ordinance or as otherwise may be permitted by the Ordinance. For more information, refer to the Securities and Futures Commission of Hong Kong or consult your legal adviser.

Nothing on this website constitutes investment, legal, business, tax or any other type of advice. The information on this website does not take into account the particular financial and investment objectives, circumstances and needs of any person. Information on the website is not intended for investors in any jurisdiction in which distribution or purchase is not authorized.

Performance data shown represents past performance and is no guarantee of future results. Investment return and principal value fluctuate so your investment, when sold, may be worth more or less than the original cost; current performance may be lower or higher than quoted. Investors should be aware of the increased risks associated with investments in foreign/emerging markets securities, high yield securities and smaller companies.

You are solely responsible for evaluating the risks and merits regarding the use of the website and any services provided within. Nothing contained in that website constitutes a solicitation, recommendation, endorsement or offer to buy or sell any securities or other financial instruments.

Thank you for your interest. We are committed to expanding our institutional website to meet the needs of our global investor base. We do not, however, have content approved for your location at this time. For additional information please email institutional@magellangroup.com.au

Important Information

This document does not constitute an offer of units in a Magellan Fund in any jurisdiction other than Australia or New Zealand (or in jurisdictions where it is lawful to make such an offer). Applications for units in a Magellan Fund from residents outside of Australia and New Zealand may not be accepted.

By clicking on the "I Confirm" button below you are confirming that you are a resident of Australia or New Zealand (or that you are acting on behalf of a person who is a resident in one of those jurisdictions).